This week's book giveaway is in the OCMJEA forum.
We're giving away four copies of OCM Java EE 6 Enterprise Architect Exam Guide and have Paul Allen & Joseph Bambara on-line!
See this thread for details.
The moose likes Security and the fly likes Failed to establish chain problem Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Failed to establish chain problem" Watch "Failed to establish chain problem" New topic
Author

Failed to establish chain problem

Rob Chung
Ranch Hand

Joined: Oct 15, 2002
Posts: 46
I created a keystore through the use of keytool.
I then created a .csr request file through keytool.
I then went to the Thawte site and pasted in the data from the .csr file in order to get a temp. certificate from Thawte.
I then cut the certificate data generated from Thawte and pasted into a notepad file .cer.
I tried to import this .cer file into the keystore I created.
I kept having this error: keytool error: java.lang.Exception: Failed to establish chain from reply
I then obtained Thawte's own public certificate and saved theat in a .cer file, and imported it into IE6 through tool>internet options>content>Certificates>other People and then export it in other format so that I can import the Thawte's own cert. as trusted certificate into my keystore. This import worked. But the initial import continued to have the failed to eastablich chain problem.
Please can someone give me some ideas?
Thanks in advance!
Lewin Chan
Ranch Hand

Joined: Oct 10, 2001
Posts: 214
Hej,
I remember having this problem, but I can't remember what I did to fix it
Here's a couple of things you could try.
a) Check jre/lib/security/cacerts... keytool -list -v -keystore cacerts contains thawte's cert. Putting into your local keystore shouldn't be necessary.
b) If using jdk1.4, try installing the unlimited jurisdiction policy files.
L


I have no java certifications. This makes me a bad programmer. Ignore my post.
Rob Chung
Ranch Hand

Joined: Oct 15, 2002
Posts: 46
Lewin,
Thank you very much for your quick reply.
I did checked that Thawte is one of the trusted entried in my cacerts file. But because I kept having the chain problem, I thought its worth a try to put that into my keystore (which didn't help to solve my problem anyway).
I am using 1.4. Will look into the unlimited jurisdiction policy files now.
Rob Chung
Ranch Hand

Joined: Oct 15, 2002
Posts: 46
I have tried the jurisdiction jar files. Still same error.
Please do post more ideas if any come up.
Thanks!
Rob Chung
Ranch Hand

Joined: Oct 15, 2002
Posts: 46
Any more ideas please?
Thanks in advance!
Lewin Chan
Ranch Hand

Joined: Oct 10, 2001
Posts: 214
Is the file that you have in pasted into notepad in a format something along the lines of

I'm not sure that keytool understands PEM format (at least it didn't in 1.3), so you may have to convert it into a DER/CER format using something like openssl
L
Rob Chung
Ranch Hand

Joined: Oct 15, 2002
Posts: 46
Thanks for replying.
The public cert. I got was :
-----BEGIN CERTIFICATE-----
MIICkTCCAfqgAwIBAgIDRCYnMA0GCSqGSIb3DQEBBAUAMIGHMQswCQYDVQQGEwJa
QTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMgT05MWTEdMBsGA1UEChMU
VGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRFU1QgVEVTVCBURVNUMRww
GgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTAzMDExMzEzNTUxMloXDTAz
MDIwMzEzNTUxMlowbDELMAkGA1UEBhMCR0IxDzANBgNVBAgTBkxvbmRvbjEPMA0G
A1UEBxMGTG9uZG9uMRIwEAYDVQQKEwlQcm9jQ3liZXIxEjAQBgNVBAsTCVByb2ND
eWJlcjETMBEGA1UEAxMKSGVsZW4gU2h1bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
gYkCgYEAwEhoUIJZfYgRtWzRjNfAozJd+yvNPoWUYXvPVWUzDC9qGjV+f+iEw7+3
7D0TYTrDVaYbMcnrttJCmANr2Du9QpzNVYRtle5I0Gs5lHwz+Y31815q9WFVO9JE
SdfCrY0afO0CVVBBvCR9A0/pfK3vivtKM/vLAJE064x6HbQ9og0CAwEAAaMlMCMw
EwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF
AAOBgQAIwkV2bx4RsnHJR/OTsj/K7eHkPMfMzAaKcE7XMavFvw02JbMRaQuujdU9
27Nu3y5GrfLqLlk9tuSJor3YE/q4VkUOFs/Qq9iEhPIm3NIYrHpckh4hYsqxfeFK
PLrdYpl6sKnpX83wgRvsZZrvx8xrvBHWToV8ZWdCV23sMd/NEQ==
-----END CERTIFICATE-----
I did convert it to other formats through the use of IE6, Tool>Internet Options>Content to import the certificate and export it as other format, then tried importing this converted-format cert. into my keystore. I still have the same error.
I searched the net for days and am still stuck with this same error.
Oleg Bivol
Greenhorn

Joined: Jun 04, 2003
Posts: 1
I took the following steps and succeeded in this matter:
1. created a keystore using keytool: "keytool -genkey -alias www.mysite.com -keyalg RSA -keysize 1024 -keystore key.store"
2. created a certificate signing request(.CSR): "keytool -certreq -alias www.mysite.com -file mysite.csr –keystore key.store" and sent it to Thawte.
3. Imported the received (from Thawte) certificate (.CRT): "keytool -import -trustcacerts -alias www.mysite.com -file mysite.crt -keystore key.store"
Some clients can refuse (without notice) connecting using this certificate in case it is not offered by the machine it was issued for - for example if it was issued for "www.mysite.com" but some other machine uses it to initiate a SSL session.
John Rayan
Greenhorn

Joined: Jul 09, 2003
Posts: 1
Hi,
I had the same problem and now have solved it by adding an alias name.
keytool -keystore mykeystore -keyalg RSA -import
-trustcacerts -alias myalias file myfile.cer
Hope this will help you!
Johnny Utah
Greenhorn

Joined: Oct 03, 2003
Posts: 1
I had this problem, but I didn't iimport the CA root cert. After I imported the ca root certificate, then the certificate imported fine.
Victor Le
Greenhorn

Joined: Jun 18, 2004
Posts: 1
I just had the same probelm recently and turned out it was the format of my SSL cert causing the problem. Once I converted it to the PKCS#7 format, I could import the cert to the identity keystore and able to start WLS8.1+sp2. Hope this helps.h
[ June 18, 2004: Message edited by: Victor Le ]
javaguy manmana
Greenhorn

Joined: Nov 22, 2008
Posts: 1
Like somebody else said, you will get this error if you try to import a key using the same alias is before. Try a different alias name and see if it works. This error message is very cryptic for this problem.
Stefan Renemeister
Greenhorn

Joined: Sep 26, 2009
Posts: 13
It's a generic errormessage, it cannot complete the chain.
Most likely you don't have the same CA certificate present as you certificate is signed with.
Randy M Collins
Greenhorn

Joined: Feb 01, 2012
Posts: 1
Every time I have had this problem, it is because of a blank line at the end of one of the files being used.

Example:
....
SnxZOoxFXj7HXejOoWs12GmNiLlOfBbWX3bRDjkGrX1hywUfZynhW1NALzLDXfi3
RzFJW8ItZGAw65NR2iEyAg==
-----END CERTIFICATE-----

Make sure that at every stage of your cert process that you do not have a blank line after the -----END CERTIFICATE--- line.

Joanne Neal
Rancher

Joined: Aug 05, 2005
Posts: 3506
    
  14
Is this the Bermuda triangle thread ? 6 people have now made their first post here. 5 have never been heard from again. Is this the end for Randy or will he buck the trend ?


Joanne
George Theophile
Greenhorn

Joined: May 31, 2013
Posts: 1
Had similar issues with Web Logic. Importing the provided CA response resulted in the exception error. However, copying the PKCS7 format and importing it with keytool worked fine due to the rootca information being included in the response. hope this helps. This process has resolved 100% of the occurrernces of this issue in our environment.
Dennis Thorn
Greenhorn

Joined: Sep 11, 2013
Posts: 14
    
    1
Joanne Neal wrote:Is this the Bermuda triangle thread ? 6 people have now made their first post here. 5 have never been heard from again. Is this the end for Randy or will he buck the trend ?


I think you are correct. I found this thread as I just had this problem. In my case I'm attempting to trim down what I import into my keystore.ks. I had everything working but when I examined the JKS keystore.ks I noticed it has the complete chain with the Root CA (our own local CA) at the top. I wasn't sure that was really wise, so i experimented with trying to import just the certificate. In my case, because of how I created the keystore in the first place, I already have an entry and the import fails with this error.

Anyhow, @Joanne it is amusing how nobody comes back from this thread. Hopefully I will be an exception ;)
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Failed to establish chain problem